Windows Server behind pfsense



  • I'm running a Windows Server 2012 R2 domain controller behind a pfsense firewall.  Everything is working well however I'm getting the following message on the DC DNS.

    _Network interfaces must be configured with DNS servers that are able to resolve Global Catalog service records for the domain controller.

    A DNS server configured on the network interface did not respond to a query for the _ldap._tcp.gc.msdcs. <dnsdomainname>service (SRV) record.</dnsdomainname>

    Anyone have any suggestions as to how to eliminate this?
    All and any comments greatly appreciated.
    WD



  • Use 127.0.0.1 as DNS Server on the Network Interface and setup the DC DNS Server to use pfSense or external DNS Servers as forwarders.



  • All of that has been done but it doesn't address the issues I'm having.

    WD


  • LAYER 8 Global Moderator

    if you not pointing your DC to pfsense  or outside dns and you get this error

    "A DNS server configured on the network interface did not respond to a query for the _ldap._tcp.gc._msdcs. <dnsdomainname>service (SRV) record."

    And your pointing itself then it has a problem - run diag on your windows box, use the dns test flag.  say dcdiag /dnsall

    How about a simple ipconfig /all output from your DC so we can see where its point to for dns on this interface.</dnsdomainname>



  • I'm having issues posting a reply.

    WD



  • Ok perhaps I can do this in parts.

    Here is one of the errors I'm getting on my Domain controller.
    _Title:
    DNS: The DNS server 192.168.0.1 on Ethernet must resolve Global Catalog resource records for the domain controller

    Severity
    Error

    Date:
    2014-09-19 11:07:02 PM

    Category:
    Configuration

    Problem:
    The DNS server 192.168.0.1 on Ethernet did not successfully resolve the name _ldap._tcp.gc._msdcs.mynet.net.

    Impact:
    Active Directory Domain Services (AD DS) operations that depend on locating a Global Catalog will fail.

    Resolution
    Click Start, click Network, click Network and Sharing Center, and then click Change adapter settings to configure DNS servers that can resolve the name _ldap._tcp.gc._msdcs.mynet.net.

    http://go.microsoft.com/fwlink/?LinkId=121970_



  • Here is the results of the ipconfig /all

    _Windows IP Configuration

    Host Name . . . . . . . . . . . . : Starbase
      Primary Dns Suffix  . . . . . . . : mynet.net
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : mynet.net

    Ethernet adapter vEthernet (D-Link DGE-530T Gigabit Ethernet Adapter - Virtual Switch):

    Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
      Physical Address. . . . . . . . . : B8-A3-86-7C-1E-20
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      IPv4 Address. . . . . . . . . . . : 192.168.0.4(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.0.1
      DNS Servers . . . . . . . . . . . : 192.168.0.2
                                          192.168.0.1
                                          192.168.0.4
                                          127.0.0.1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Ethernet:

    Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network Connection
      Physical Address. . . . . . . . . : 00-1C-C0-65-9B-0E
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.0.1
      DNS Servers . . . . . . . . . . . : 192.168.0.1
                                          192.168.0.2
                                          192.168.0.4
                                          127.0.0.1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Media State . . . . . . . . . . . : Media disconnected
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{308716D4-362B-4F22-AF6F-4329875B6E05}:

    Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.2%15(Preferred)
      Default Gateway . . . . . . . . . :
      DHCPv6 IAID . . . . . . . . . . . : 251658240
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-AB-AC-B3-00-1C-C0-65-9B-0E
      DNS Servers . . . . . . . . . . . : 192.168.0.1
                                          192.168.0.2
                                          192.168.0.4
                                          127.0.0.1
      NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter isatap.{15E62D1F-803D-4A33-B62A-2767C7580D28}:

    Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.4%17(Preferred)
      Default Gateway . . . . . . . . . :
      DHCPv6 IAID . . . . . . . . . . . : 285212672
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-AB-AC-B3-00-1C-C0-65-9B-0E
      DNS Servers . . . . . . . . . . . : 192.168.0.2
                                          192.168.0.1
                                          192.168.0.4
                                          127.0.0.1
      NetBIOS over Tcpip. . . . . . . . : Disabled
    [\i]_



  • And finally here is the results of the dcdiag /dnsall

    _Directory Server Diagnosis

    Performing initial setup:

    Trying to find home server…

    Home Server = Starbase

    * Identified AD Forest.
      Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\STARBASE

    Starting test: Connectivity

    ......................... STARBASE passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\STARBASE

    Starting test: Advertising

    ......................... STARBASE passed test Advertising

    Starting test: FrsEvent

    ......................... STARBASE passed test FrsEvent

    Starting test: DFSREvent

    ......................... STARBASE passed test DFSREvent

    Starting test: SysVolCheck

    ......................... STARBASE passed test SysVolCheck

    Starting test: KccEvent

    ......................... STARBASE passed test KccEvent

    Starting test: KnowsOfRoleHolders

    ......................... STARBASE passed test KnowsOfRoleHolders

    Starting test: MachineAccount

    ......................... STARBASE passed test MachineAccount

    Starting test: NCSecDesc

    ......................... STARBASE passed test NCSecDesc

    Starting test: NetLogons

    [STARBASE] User credentials does not have permission to perform this

    operation.

    The account used for this test must have network logon privileges

    for this machine's domain.

    …...................... STARBASE failed test NetLogons

    Starting test: ObjectsReplicated

    ......................... STARBASE passed test ObjectsReplicated

    Starting test: Replications

    [Replications Check,STARBASE] DsReplicaGetInfo(PENDING_OPS, NULL)

    failed, error 0x2105 "Replication access was denied."

    …...................... STARBASE failed test Replications

    Starting test: RidManager

    ......................... STARBASE passed test RidManager

    Starting test: Services

    Could not open NTDS Service on STARBASE, error 0x5

    "Access is denied."

    ......................... STARBASE failed test Services

    Starting test: SystemLog

    A warning event occurred.  EventID: 0x00001796

    Time Generated: 10/02/2014  07:59:08

    Event String:

    Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

    An error event occurred.  EventID: 0xC0001B63

    Time Generated: 10/02/2014  07:59:39

    Event String:

    A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.

    An error event occurred.  EventID: 0xC0001B63

    Time Generated: 10/02/2014  08:00:09

    Event String:

    A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ScDeviceEnum service.

    An error event occurred.  EventID: 0xC0001B58

    Time Generated: 10/02/2014  08:00:09

    Event String:

    The Smart Card Device Enumeration Service service failed to start due to the following error:

    An error event occurred.  EventID: 0x00002720

    Time Generated: 10/02/2014  08:01:02

    Event String:

    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

    ......................... STARBASE failed test SystemLog

    Starting test: VerifyReferences

    ......................... STARBASE passed test VerifyReferences

    Running partition tests on : ForestDnsZones

    Starting test: CheckSDRefDom

    ......................... ForestDnsZones passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... ForestDnsZones passed test

    CrossRefValidation

    Running partition tests on : DomainDnsZones

    Starting test: CheckSDRefDom

    ......................... DomainDnsZones passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... DomainDnsZones passed test

    CrossRefValidation

    Running partition tests on : Schema

    Starting test: CheckSDRefDom

    ......................... Schema passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... Schema passed test CrossRefValidation

    Running partition tests on : Configuration

    Starting test: CheckSDRefDom

    ......................... Configuration passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... Configuration passed test CrossRefValidation

    Running partition tests on : mynet

    Starting test: CheckSDRefDom

    ......................... mynet passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... mynet passed test CrossRefValidation

    Running enterprise tests on : mynet.net

    Starting test: LocatorCheck

    ......................... mynet.net passed test LocatorCheck

    Starting test: Intersite

    ......................... mynet.net passed test Intersite

    [\i]

    All and any comments or suggestions greatly appreciated

    **NOTE: In this post I have substituted my registered domain name with mynet[\b]

    WD**_


  • LAYER 8 Global Moderator

    What a mess - this is your DC?  Why do you have it setup multihomed with 2 interfaces in the same network?

    Do you have other DCs – why are you pointing to 192.168.0.1 for DNS?

    Why do you have all the teredo, 6to4 and isatap stuff turned on?



  • Thanks for your reply

    What a mess - this is your DC?  Why do you have it setup multihomed with 2 interfaces in the same network?

    This network is for education purposes.  After installing Windows 2012 R2 I was getting a message that the server should have 2 network cards.  I installed a second card and the machine stopped complaining about that.

    Do you have other DCs – why are you pointing to 192.168.0.1 for DNS?
    I only have the one DC.  192.168.0.1 is the lan side of the pfsense box.  Should I not be using the pfsense machine to do dns?

    Why do you have all the teredo, 6to4 and isatap stuff turned on?

    This is all stuff that was installed and turned on as part of the basic install of the server.  I can turn if off if it is recommended.

    Again, all and any comments or suggestions are appreciated.



  • Active Directory and DNS are tightly coupled.  If you're running a Windows domain, you're better off using your domain controller to handle your DNS/DHCP.


  • LAYER 8 Global Moderator

    "I only have the one DC.  192.168.0.1 is the lan side of the pfsense box."

    How does pfsense know about your AD dns stuff?  In an AD setup the only thing that be pointed to for dns by any AD members is AD DNS.. Nothing else is going to have the records about your AD other than your AD dns.

    What was complaining about 2 nics??  Did you setup this box as proxy or router?  AD DC should not have 2 interfaces - especially in the same network!!

    Unless your using ipv6 over ipv4 transition methods you have no need of those - to be honest you prob have no need for ipv6 at all, and should prob disable it completely.



  • I am running a Windows Domain.  I'm starting to realize that the pfsense router is not ideal for a Windows Domain.

    When I first setup the server and ran the Best Practice Analyzer it told me the machine should have 2 network adapters.  After installing the 2nd adapter the BPA no longer complains about network adapters.

    I've removed the pfsense from the list of dns machines and I no longer get the errors about it not being able to resolve the AD stuff.  Now I'm just getting a message that the adapters should have a preferred and alternate DNS servers configured.

    Thanks again to all commenters.


  • LAYER 8 Global Moderator

    " I'm starting to realize that the pfsense router is not ideal for a Windows Domain. "

    What does the router/firewall have to do with a windows domain – let me think about it for 2 seconds..  Yup that would be NOTHING!!!

    Think for 2 seconds -- why would a DC need 2 nics??  Make NO sense AT all!!  Never heard of such a thing.. Only if it was going to be a proxy or route would it make sense that it needs 2 nics..  Is this some small business version of windows?

    You don't need two NICS!!  but yes you need to have your DNS for AD correct..  And you don't need alternative dns either..  How many boxes in your AD are running DNS??  Let me take a guess 1 -- so how would you have an alternative dns server?



  • 4 Years and still actual. Mr. Johnpoz (the little friendly devil). I have server essentials 2016 license. It's not meant to be used even twice in a VM of outside of one. And I', using a PFSense FW with conditional DNS forwarding capability. It also has the option to be used for 'domain overrides'. This setup is to be used in a production environment with a 4 hour SLA to reproduce the AD DC with DNS might it fail in VMWare.

    Yet: I'd like to solve those best practice errors without configuring the PDC as if there will never be a SDC. Because i think there will be and at that point I'd love to just change one ip address and see everything become green.

    I've been a system admin for quite a few years but networking is not my best skill (yet). So I was actually wondering about the same. Can I set any service in PFSense to 'spoof' a secondary DNS with all green servers in my solitary PDC?

    I will keep you posted because it seems enough people are looking at this thread. Thanks for the response effort sofar! (I started out learning this networking stuff as a teacher too by the way :-) Let's not throw out the PFsense as 'not the best sollution' yet.)



  • Ok. So. By using my 30.10.10.in-addr.arpa and assigning my PDC's ip address (which I calles the SDC reverseLUZ Spoof), and assigning that same ip to my.domainname.tst (SDC DNS LUZ Spoof) i lost 7 of the 9 BPA flags.

    The last two I will solve later but since there is a list of system DNS servers usable both on WAN and LAN interface i have to figure out which one is seen as first and which one second.

    But most and for all little devil: yes! It can be done. It might not be advisable for obvious reasons, but yes, it can be done!


Log in to reply